[jboss-jira] [JBoss JIRA] (WFLY-2087) Administrator should be prevented from modifying super user and auditor roles.
Brian Stansberry (JIRA)
jira-events at lists.jboss.org
Sun Sep 22 23:25:03 EDT 2013
[ https://issues.jboss.org/browse/WFLY-2087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806309#comment-12806309 ]
Brian Stansberry commented on WFLY-2087:
----------------------------------------
I think this bug can be fixed simply with the addition of a new AllowsAllowNotConstraint type. The "allows" part is simply whether the role is SuperUser. The "is" part is whether the target resource is a resource mapping resource for /core-service=management/access=authorization/role-mapping=Auditor/** or role-mapping=SuperUser/**.
I don't think scoped roles come into play, as no scoped role has write permissions for the access control stuff. So ServerGroupASuperUser or HostBSuperUser not being able to modify those resources is fine; they can't anyway.
Darran, feel free to assign this to me if you'd like, as I have a pretty clear idea of what to do.
> Administrator should be prevented from modifying super user and auditor roles.
> ------------------------------------------------------------------------------
>
> Key: WFLY-2087
> URL: https://issues.jboss.org/browse/WFLY-2087
> Project: WildFly
> Issue Type: Sub-task
> Components: Domain Management, Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Critical
> Fix For: 8.0.0.Beta1
>
>
> These roles have maximum privileges in their area, i.e. super user can do everything and auditor can stop changes to the server being logged.
> The administrator role should be prevented from modifying these two roles.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list